ASA - AnyConnect SSL VPN - Problems restricting client traffic with the "Webvpn Filter" command and Webtype ACL
I'm trying to restrict traffic of a AnyConnect (Client Based SSL VPN) WebVPN user. I am using a "Webtype" access-list to define the permitted http and cifs urls. Then I am applying the access-list in the user attributes webvpn mode using the "filter value acl" command. Unfortunately, the user still has access to all of the resources that all of the other webvpn users have. I don't want to setup a separate group policy for just one user and i'm not really confident that this filtering will work in the group policy if it doesn't work at the user level as the configuration seems exactly the same. User attributes are supposed to override group policy attributes anyway. Am I missing something here? When I looked up the webvpn filtering before trying this configuration I found that the "vpn-filter" command that is used on ipsec vpn's to do this same thing is not supposed to work at all on ssl vpns and that this was the method that I had to use. I'm kinda stuck here as I have checked out several different config guides and references on Cisco and none of them mention any other config steps then those below. I am pretty well versed in ipsec site to site's and ras vpn's but am pretty new to the ssl vpn technology. I'm starting to wonder if the webvpn filtering is only good on the "clientless" SSL VPN but most of the documentation treats the clientless the same as AnyConnect.
Any help from those that have done this or something similar before would be appreciated. I have gotten past the stage where advice from laymen would be interesting though.
Nevermind. I answered my own question with a little testing. Seems I got too far down one road to test and didn't test the other one. Though I do wish that the AnyConnect configuration sections in the ASA cli config guides were a little more verbose as well as the config guides specifically for it. Anyway, the answer is that the "webvpn filter" command is just for the clientless (not client) ssl vpn. The "vpn-filter" command that can be used with the ipsec vpn client can also be used with the AnyConnect client to filter traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...